Key Reinstallation Attack (KRACK)

Key Reinstallation Attack (KRACK) is a complex attack against the WPA2 protocol. It is a combination of a known-ciphertext attack and a man-in-the-middle attack. The intruder performs the attack during the WPA2 handshake, that is during the initialisation of WPA2 connection. The attack is based on flaws in the standard and its implementations.

At the moment when the details regarding this attack were published (on 16th October 2017) most existing WPA2 implementation were vulnerable to KRACK attack. The authors carefully prepared their publication, by creating a dedicated website, creating videos, and even preparing a special logo (available in many resolutions). They proposed how to fix the standard and prepared patches for all major WPA2 implementations, which should protect them from being vulnerable to attacks based on KRACK.

One may predict that the lifetime of KRACK attack will not be particularly long. Most producers released the high-priority patches, which fix the issue, shortly after the publication. However, it seems reasonable to briefly present the way of performing this attack. This is a practical example of cryptographic attack on two-time-pad.

WPA2 Secret Key

To authenticate itself to the WPA2 wireless network, every device exchange with the router a number of messages. This allows them to generate a common secret key, which will be used to encrypt all their further communication. In order to maintain security, it is required that the key is unique. This means, in particular, that this key has not been used to protect any earlier communication. Read more about the attacks on two-time-pad to find out why this situation should be avoided.

The secret key is created based on a shared network password. In order to make sure that the kay is unique, both sides (the client accessing the network and the wireless router) generate the key based also on some random numbers, called nounces, and their MAC addresses.

In WPA2 protocol, to create the secret key, the client and the router exchange four messages. Two first messages carry the random numbers chosen by both of them and transmitted to the other device. After exchanging those two messages, the router sends a third message to the client. It contains a group key (which is not important for us now) and makes the client generate the secret key. In the last message the client just sends the confirmation to the router.

Performing the Attack

KRACK attack is about forcing the communicating sides to use the same secret keys multiple times.

To achieve that, the first step of the intruder is to perform the man-in-the-middle attack. After faking his MAC address, he will locate himself between both communicating sides. He will pretend that he is one of them. The attacker must be able to intercept and block the messages sending between the router and the client.

In the second step, the attacker should intercept and save the third handshake message. He must also block the client response (the fourth handshake message) and prevent the router from receiving it.

The faulty WPA2 specification recommends the client to generate the secret key every time after receiving the third handshake message. Thanks to that, after some time the attacker can send the third message again, which sets the key to the same value as previously (because it is created based on the same data as before: the password, two nounces and the MAC address.

Depending on the particular algorithm used for encryption of further communication between the router and the client, the attacker may compromise the security to a different extent: starting from discovering the secret key protecting the communication in one direction, through the two-direction communication key (CCMP and GCMP protocols), up to breaking the key completely (because some Linux and Android versions reset the key to zeros as a result of this attack).

It is worth mentioning that the attacker cannot discover the network password stored on both devices. Only the secret key is stolen, which is used only for message encryption during the current session.

Protection against KRACK

KRACK attacks can be easily prevented, by changing the parts of code responsible for WPA2 handshake.

First of all, after receiving the third handshake message and before actually resetting the key, it would be a good idea to check if the key hasn't been already generated. If the key exists, it shouldn't be calculated again.

Also, the values of the nounces and the counters (incremented after sending every message) shouldn't be reset if the key already exists and is used for encryption of ongoing communication.

Conclusion

KRACK attack presented on this webpage is an interesting example of man-in-the-middle attack, performed in order to break two-time-pad encryption.

Above, I presented only the most popular version of this attack. The authors presented a number of attacks on similar protocols (Fast BSS, TDSL, PeerKey), which base on similar handshake algorithms. The presented also the way of stealing the group key and various modifications of this attack for different protocol versions and operating systems. To find out more, you can visit the website which is devoted to KRACK attack: www.krackattacks.com.